Basic mounts

Basic mounts allow binding a file or a directory and its contents from the parent host into an enclave. Multiple basic mount points are supported in a single enclave. This page describes the steps required to set up a basic mount.

Set up the basic mount on the parent host. In this example, you will bind the directory /home to the enclave named nginx:

First, set /home as the root directory for the basic mount.

$ anjuna-fs-proxy --enclave-name nginx --daemonize --anjunafs-rootdir /home

Then, create a directory enclave-data to bind to the enclave.

$ mkdir -p /home/enclave-data

Create an enclave configuration file with that basic mount:

version: 1.7

# define volume mounts for this enclave
mounts:

# name of the basic mapping
# host must include a file or directory with the same name inside rootdir
- name: enclave-data

  type: basic

  # path to mount to inside the enclave
  mountPath: /shared/enclave-data

In this example, the parent host mounted the directory /home/enclave-data to /shared/enclave-data inside the enclave.

Multiple enclaves

Handling of basic mount points when more than one enclave runs on a host requires some small adjustments.

First, you need to run one anjuna-fs-proxy per enclave, and parametrize it using the enclave name. For two enclaves, named nginx and postgres, sharing a common root dir /home you would run:

$ anjuna-fs-proxy --enclave-name nginx --daemonize --anjunafs-rootdir /home
$ anjuna-fs-proxy --enclave-name postgres --daemonize --anjunafs-rootdir /home

The enclave configuration file is identical to the single enclave scenario. The mount points can be shared (the same across enclaves, with shared data) or separate (access only from the selected enclave). In the shared scenario, use the same root directory and mapping names; in the separate scenario use different root directories.

Terminating anjuna-fs-proxy

After terminating the enclave using anjuna-nitro-cli, you should terminate the filesystem proxy processes using the following command:

$ pkill -f 'anjuna-fs-proxy --enclave-name nginx'
$ pkill -f 'anjuna-fs-proxy --enclave-name postgres'

pkill requires -f to match the full filesystem proxy command associated with the correct enclave. Note that pkill matches against the command line used to run the service, so any flags must be given in the same order as the original command.